A generalized framework for elliptic curves based PRNG and its utilization in image encryption

In the last decade, Elliptic Curves (ECs) have shown their efficacy as a safe fundamental component in encryption systems, mainly when used in Pseudorandom Number Generator (PRNG) design. This paper proposes a framework for designing EC-based PRNG and maps recent PRNG design techniques into the framework, classifying them as iterative and non-iterative. Furthermore, a PRNG is designed based on the framework and verified using the National Institute of Standards and Technology (NIST) statistical test suite. The PRNG is then utilized in an image encryption system where statistical measures, differential attack measures, the NIST statistical test suite, and system key sensitivity analysis are used to demonstrate the system's security. The results are good and promising as compared with other related work.

www.nature.com/scientificreports/ designed by utilizing the proposed PRNG. Furthermore, the different evaluation criteria are explained and used in assessing the PRNG and the encryption system. Finally, a comparison with related literature is given, followed by the conclusions.

Elliptic curves basics
A Weierstrass equation takes the form y 2 = x 3 + Ax + B, where A and B are constants. An EC is defined over a field F when A, B ∈ F. For the cubic equation not to have multiple roots, a restriction is added over the values of A and B , which is 4A 3 + 27B 2 � = 0 21 . For cryptography applications, x , y , A , and B are taken to be elements from the finite fields F p , where p is a large prime. Adding the point at infinity O to the set of all points satisfying the EC equation creates an additive abelian group with O being the identity element. Group operations are point addition and multiplication. Let P 1 = (x 1 , y 1 ) and P 2 = (x 2 , y 2 ) be points on an EC, E , then P 3 = P 1 + P 2 = (x 3 , y 3 ) is calculated using The geometrical interpretation for the first three cases of point addition on EC is summarized in Fig. 1. Point multiplication by a value n is treated as successively adding the point to itself n times. An efficient implementation for point multiplication is the point doubling algorithm 21 .
The order of a point P is the smallest positive integer k such that kP = O . The order of a point P always divides the order of the group E F p . Let G be a point on the EC,E , then G is called a generator point with order N for the cyclic subgroup consisting of the points {G, 2G, 3G, . . . , NG = O}.

Framework for EC-based PRNGs
A PRNG is a critical element in any encryption system as it provides the system with a pseudorandom keystream. A good design of a PRNG should be sensitive to the initial state, give uniform distribution of output bits, and the period should be large enough to resist cryptanalysis attacks 22 .
EC points are the primary source for any EC-based PRNG, which can generally fall into two schemes. The first scheme picks a generator point with a large order group and applies group operations to calculate new points and extract the random bits from the coordinates of each point. On the other hand, the second scheme calculates all required EC points, and then the coordinates of the points are used in producing the random bits. In this sense, a framework can be established where both design schemes can fit in. While the first scheme is called iterative because the points are generated one at a time, the second scheme is called non-iterative since all points are generated simultaneously. The proposed framework, shown in Fig. 2, consists of the following four main blocks.
• Parameters initialization: In this stage, EC parameters are initialized. In some design cases, other systems are integrated into the process and, hence, those system parameters are also initialized in this stage. For example, suppose that a chaos-based system is integrated into the design to enhance the randomness of the process and add extra complexity against different attacks. In this case, all parameters required by this chaotic system are initialized.
(1)   values of x or randomly selected values of x using some criteria. • Points manipulation: In this stage, the produced points are processed based on some design criteria. For instance, the coordinates of the points can be converted into binary form. Other designs can use the coordinates values and apply mathematical formulas to produce a number. • Bits extraction: This stage processes the output from the previous stage and generates the required pseudorandom bits. For example, a common logic in this stage includes bit truncation to satisfy particular design criteria. Table 1 compares iterative and non-iterative designs with respect to different aspects. Clearly, each design category has its advantages. Depending on the application, the designer should choose the design that is more suitable. For instance, in applications that work with unknown data lengths like voice calls, it is better to use an iterative design as the period of the PRNG will be long enough to cover the amount of data that needs to be encrypted. In applications that work with known data length, like images, non-iterative designs can pick an EC with enough points to achieve the required period for PRNG. In the following subsections, some recent EC-based PRNG literatures are discussed and mapped into the proposed framework, which demonstrates the framework's flexibility.
Iterative designs. Several iterative PRNG algorithms were introduced during the last decade, such as the techniques shown in Fig. 3, where a simplified block diagram for each technique is depicted. Table 2 demonstrates the mappings of those techniques into the proposed framework.  Fig. 4, where a simplified block diagram for each design is depicted. Table 3 demonstrates the mappings of those designs into the proposed framework. In summary, EC point coordinates, in their binary form, can serve as a good source for random bits. The surveyed literature can be grouped into two categories, iterative and non-iterative. The main disadvantage of the first category is that the iterative equation can include too many EC group operations and may be combined with other operations regarding non-EC elements, which can be complex in limited resource systems. The main disadvantage of the second category is that it cannot be used with large prime numbers, where safe recommended ECs exist, because it is not possible to calculate all curve points. Therefore, this paper proposes to design an Table 2. Mapping of the surveyed iterative techniques into the proposed framework.

Ref. no. Parameters initialization Points generation Points manipulation Bits extraction Notes
Ref. 23 , 2015 Point P on the curve and a key e Using e , find K 0 Using e , initialize LFSR The two points Y and G have very high orders Ref. 26 , 2019 Point P 0 of order n Pick r ∈ [1, n − 1] let α 1 , . . . , α p be a basis of F 2 p P k = r k P 0 x k = X(P k ) n has a large prime order r has a large multiplicative order mod n Ref. 27 , 2020 ϕ is a truncation function H is a hash function Apply ϕ on the x-coordinate of S i−1 P Apply ϕ on H(S i )

Read lower-order bits from h i
The hash function enhanced the statistical properties of the output bits www.nature.com/scientificreports/ iterative PRNG with only one addition operation, which makes it suitable in a limited resource system and can be used in real-time applications using NIST-recommended safe ECs.

Proposed PRNG
With the proper choice of the EC parameters and a generator point G with a high order, usually a large prime number, the cyclic subgroup generated by the point G can be iterated. Moreover, using each point coordinate, pseudorandom numbers can be extracted. In this paper, a simple PRNG is designed and used in image encryption.
The PRNG is based on the iterative equation where P 0 = KG is the initial base point of the PRNG,K is the system key value, and G is the generator point. If P 0 is changed, a completely new sequence of points is generated. For each point, the x and y coordinates are converted into their equivalent binary representation. Then, the least significant 96 bits from each coordinate are mixed to create a stream of 192 bits, as shown in Fig. 5a. For the example shown in Fig. 5b, consider a point P(x, y) . The least significant 96-bits, x * and y * , are extracted from each coordinate, respectively. Then, each 24-bits from x * and y * are extracted and mixed to form the final bitstream. The resulting bits are random because the hopping from one point to another gives an entirely different point regarding coordinate values, and because of the mixing between the x and y coordinates. It is important not to extract more bits from each coordinate because higher bits are not chaotic enough, and the more bits used, the more the bitstream is not secure and can be attacked as pointed out in Ref. 34 .
(2) P n+1 = P n + P 0 , Table 3. Mapping of the surveyed non-iterative techniques into the proposed framework.

Ref. no. Parameters initialization Points generation Points manipulation Bits extraction Notes
Ref. 28  ] Select a total order operator < * For each integer y in Y find the point x, y Calculate the point t 2 x, t 3 y then add it to set A Sort the set A using the total order operator < * Read the y-coordinate modm from the sorted list MEC has the property of a = 0 p ≡ 2 mod 3 Ref. 30 , 2021 Select large prime P Generate the curve E P a using brute force technique Apply brute force search on E P Ref. 31  The random generation of points is based on a predefined function www.nature.com/scientificreports/ In the PRNG design, every point from the EC can produce 192 bits, and since the generator is used to encrypt images, every 24 bits (no. of bits in each pixel) are parsed from the bitstream and then used to encrypt the image pixel. Hence, in pixel terms, a total of 192/24 = 8 pixels can be encrypted using only one point from the EC.
The PRNG design is inspired by the proposed framework, where the number of operations in each stage is minimized to achieve better performance. Figure 6 shows the simplified block diagram for the proposed PRNG, whereas Table 4 shows the mapping of this design into the proposed framework. The proposed PRNG has only one EC addition operation in the points generation stage, which helps in speeding up the time consumed in this stage. Furthermore, only decimal to binary conversion is applied in the points manipulation stage, and mixing (bit shifting) and truncation operations are performed in the bits extraction stage. In this sense, the design of the PRNG is optimized for speed and low resources.
In practice, the EC parameters and G should be chosen such that the order of G is a large prime number. Hence, the period of such PRNG is significantly large enough to be used in encryption applications. In this work, the PRNG uses Curve-192, although any other recommended secure curve can be used as well. This curve is one of the NIST's recommended curves 35 ; its prime modulus p is 192 bits, the base point G has 189 bits and 187 bits in the x and y coordinates, respectively, and its order n is 192 bits. Iterating the cyclic group generated by G , the average number of bits in each point x and y coordinates is close to that of the generator point G.

Proposed encryption system
The block diagram of the proposed encryption system is shown in Fig. 7, where the system consists of two main stages necessary to achieve Shannon's confusion and diffusion properties 36 . The first stage is the substitution stage, where pixel values are changed. The second stage is the permutation stage, where pixel locations are shuffled across the image. For the system to be sensitive to input changes, the algebraic sum of all pixels in the three channels is calculated and used to modify the permutation stage parameters. In this sense, the system is protected from different differential attack attempts. Substitution stage. In this stage, the output from the PRNG is Xored with the image pixel. In addition, a delay element is used to make the current encrypted pixel's value dependent on the last encrypted pixel value. Hence, this provides the system with more strength against differential attacks.
The substitution phase can be represented using the equation where E R , E G , and E B are the encrypted pixel values for the red, green, and blue channels, respectively.RN i is the ith byte from the PRNG bitstream. I R , I G , and I B are the image pixel values for the red, green, and blue channels, respectively. D R , D G , and D B are the previous encrypted pixel values for the red, green, and blue channels, respectively, and each is initialized with the value of 0.   Table 4. Mapping of the proposed PRNG into the proposed framework.

Parameters initialization Points generation Points manipulation Bits extraction Notes
Select secure EC Select K P 0 = KG Increment index n P n+1 = P n + P 0 Convert the x and y coordinates of the point P n into its binary form where a key , b key are 8-bit numbers extracted from the system key as shown in Fig. 8, and mod returns the remainder after division.
System key. The system key should be at least 128 bits, long enough to resist brute-force attacks in cryptographic applications. Furthermore, any change in the key, even a one-bit change, should produce completely different output from the original key. As shown in Fig. 8, a random 128-bit number K is selected to be the system key where Arnold's cat map parameters a and b are extracted from this key.
(5a) S = sum image pixels , (5b) a = mod S + a key , M − 1 + 1,  www.nature.com/scientificreports/ For security purposes, the generator point G provided by the NIST Curve-192 cannot be used as the base point of the PRNG. Therefore, in the beginning, the point P 0 = KG is calculated. It is worth mentioning that the large value of K will not affect the speed of calculating the point P 0 as mentioned earlier in the introduction.

Evaluation criteria
This section discusses different evaluation criteria used to evaluate the proposed PRNG and encryption system. NIST statistical test suite. NIST SP-800-22 is a group of 15 tests applied on bitstreams to decide the randomness of the bits 37 . If any of the tests failed, the bitstream is not recommended to be used in cryptography applications. The output from this test is validated by the P-value distribution (PV) and the proportion of passing sequences (PP). For a truly random sequence, the PV is equal to 1, while for a nonrandom sequence, the PV approaches 0. A significant value α controls the success of each test. If PV ≥ α , then the sequence passes the test, otherwise, it fails the test. In case of cryptography applications, α = 0.01 , which means that if more than 1% of the sequence fails the test, then the complete sequence is considered nonrandom.
Correlation coefficients of image pixels. This metric measures how much image pixels are correlated to each other. This measure is generally applied to adjacent pixels in the horizontal, vertical, and diagonal directions. It is calculated using: where N is the number of elements in the two vectors x and y . For typical images, the value of ρ is close to 1, while for encrypted images, the value of ρ should be closer to 0.

Differential attack measures.
This attack studies the relationship between two encrypted images after changing one pixel in the source image. Three measures are used, which are the Mean Absolute Error (MAE), the Number of Pixels Change Rate (NPCR), and the Unified Average Changing Intensity (UACI) 38 . Expected values for MAE, NPCR, and UACI are around 100, 99.6%, and 33.34%, respectively. Let E be the source image, E1 be the encrypted image and E2 be the encrypted image after changing one pixel in the original image, then where W and H are the width and height of the image, respectively.

Mean square error (MSE).
This metric is used to measure the error between two images. Let E be the source image and D be the wrong decrypted image, then Entropy analysis. Entropy is a measure of the predictability of random sources. For a source that produces N symbols with probabilities P(S i ), i = 1, 2, .., N , the entropy of that source is calculated using:

Analysis results
In this section, the randomness and efficiency of the PRNG are, first, demonstrated. Then, the encryption system is evaluated using the Peppers image of size 256 × 256 as well as some additional images from the USC-SIPI database 39 of size 512 × 512 . The system key sensitivity is examined by changing one bit and observing the results. Finally, the computation complexity is analyzed and comparisons with related literature are given.
Let K 1 = ede8a3004ce2b2579c937b3874aba2de be a 128-bit random number and let K * 1 = K 1 + 1 . Let K 2 = fe23c064b1cc841a0027ad705ac47d98 and K 3 = b6c575a9a76716fcbccdcf 16740fb22b . The choice of K * 1 was made to test the sensitivity of the PRNG for only a one-bit change in the key. In order to test the PRNG using the NIST test suite, a total of 25165824 = 24 × 2 20 bits are generated, equal to the number of bits found in a color image of size 1024 × 1024.
The NIST results for the PRNG are shown in Table 5. For the sensitivity test using K 1 and K * 1 , the results show that the bitstreams are random and have passed all 15 tests. Furthermore, the bitstreams are converted into two color images, and the results are shown in Fig. 9. Visual inspection of the images supports the NIST results. The correlation between the two bitstreams is calculated and found to be 0.0009, demonstrating the PRNG's sensitivity to one-bit change in the key. As for other test cases, ( K 2 , K 3, . . . , K 30 ), similar results are achieved. Accordingly, Table 5 and Fig. 9 include the results for K 2 and K 3 as representatives for the remaining cases.  www.nature.com/scientificreports/ Table 6 compares some iterative methods with this work. Although all iterative methods can achieve a long period with the proper choice of the EC parameters, the complexity for each technique is not the same. The more operations involved in the design, the more complex the design is. Clearly, the proposed PRNG contains the least number of EC and non-EC operations and, hence, has the least complexity.
The proposed PRNG is examined to determine the bitrate that can be achieved. The experiment is conducted on a Dell laptop with processor Intel Core i7-1065G7 CPU @ 1.30 GHz, running Windows 10 with 16 GB of RAM. Two implementations for the PRNG are considered; the first one uses C# under .net framework 4.7 and the second one uses MATLAB R2015a. The proposed PRNG is run for 30 times, with 65,536 bytes generated in each run. Then, the average bitrate is calculated for both the MATLAB and C# implementations. In the case of MATLAB, the JAVA BigInteger class is used, leading to runtime overhead due to calls between MATLAB and JAVA. In the case of C#, however, no overhead is encountered as C# contains an implementation for the BigInteger class. Table 7 compares the bitrates achieved in Megabits per second (Mbps) by the proposed PRNG and other related PRNGs based on ECs. The bitrates achieved by this work are better than those achieved by other related works, which is attributed to the few used operations as shown in Table 6.
Encryption system results. Using the same system key K 1 (see Fig. 8), the values for a key and b key are 222 and 162, respectively. Figure 10 shows the histogram plots for Peppers and encrypted Peppers where the input image has clear peaks while the encrypted image has a uniform distribution across all channels, as supported by the correlation results in Table 8. Furthermore, it is clear from the visual inspection that the encrypted output image shows complete randomness. Figure 11 shows the adjacent pixel values and correlation values in horizontal, vertical, and diagonal directions for the red channel of Peppers and encrypted Peppers. Similar results are achieved in the green and blue channels. Table 8 shows the correlation results for encrypted Peppers in horizontal, vertical, and diagonal directions. The values are close to zero, indicating how much the pixels are not correlated anymore after the encryption. The differential attack measures are calculated by taking the average values after changing the pixel value in ten random pixels. It is clear from the results that the dependence of Arnold's cat map parameters on the image, as given by Eq. (5), enhanced the results of the differential attack measures. Furthermore, the MSE results show how far is the encrypted image from the source image. At the same time, the entropy values are very close to 8, which provides evidence of the randomness existing in the encrypted images.
In addition, Fig. 12 shows the statistical analysis results for encrypted Peppers using 30 different system keys ( K 1 , K 2 , . . . , K 30 ). For the box plot, the correlation results in the horizontal, vertical, and diagonal directions are given. The horizontal and vertical results are distributed symmetrically, while the diagonal results are positively skewed. The interquartile maximum range is 0.0027, which means that the three distributions are very concentrated. For the entropy histogram, NPCR histogram, and UACI histogram, it is clear that most of the results fall in the highest range for each test indicating the quality of the encrypted image regardless of the used system key.
Furthermore, Table 9 summarizes the statistical analysis results where all results are in the good, expected ranges. The results provide evidence that the system is stable with respect to different system keys. The small values of the standard deviation demonstrate that, for any system key, the results are expected to be very close to the average results achieved.  System key sensitivity results. The sensitivity of the system key is examined by changing one bit in it, then decrypting an image with this wrong key and checking the results. Since the system key value is used in calculating the base point P 0 used by the PRNG, any change in any bit produces a new base point. Hence, the PRNG will not be synchronized with the encrypted image. Two cases are examined, Case I, where the least significant bit is changed, and Case II, where the 9th bit is changed. In Case I, the value of a key is changed, whereas the value of b key is unchanged. While in Case II, the value of a key is kept unchanged, whereas the value of b key is changed. Table 11 shows the results for the two test cases. The PRNG was not synchronized with the encrypted image in cases I and II. Therefore, the results for the MSE are large, and entropy values indicate the complete randomness of the wrong decrypted images. These results are supported by visual inspection of the decrypted images, as shown in Fig. 13.    N) . Therefore, the total complexity for the system is Comparison with related literature.  Table 13 gives the total execution time, using MATLAB R2015a, for the proposed encryption and decryption systems compared to other related work. The proposed system performance is clearly better.

Conclusions
The presented PRNG has a simple and efficient design, which was achieved by utilizing the proposed framework through minimizing the EC and non-EC operations. Consequently, the introduced encryption system utilizes low computational resources and, hence, it is a good candidate for real-time applications.
In conclusion, ECs are good candidates for designing PRNGs. The number of bits in each point coordinate is suitable for bit extraction in secure curves with large prime numbers. Furthermore, the system's security is inherited from the difficulty of the DLP. Finally, the proposed framework for designing PRNGs can help in optimizing the system design by simplifying each block as much as possible, resulting in fast and secure bitstream output. Future work includes enhancing bit extraction criteria to increase the number of bits extracted from each point coordinate and utilizing ECs in generating dynamic S-boxes.

Data availability
The data used in this paper are available from the corresponding author upon request.